SlideShare a Scribd company logo

L4 vpn

Download as PPT, PDF
Rushdi Shams
Rushdi Shams

VPN systems provide secure remote access to private networks by encrypting traffic and routing it through the public internet. They use IP encapsulation to embed private network packets within public internet packets, encrypting the payload for security. Common VPN protocols include IPSec, L2TP, and PPTP, with IPSec being the most secure as it performs both encryption of payloads and authentication of packet headers. Proper configuration and firewall usage are important to maintain security when using a VPN.

Technology
1 of 37
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
 Provides secure remote access to individuals and businesses outside your network.  They use the Internet to route LAN traffic from one private network to another  The packets are unreadable by intermediary Internet computers because they are encrypted and they can encapsulate (or carry) any kind of LAN communications Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
 VPN systems do not protect your network—they merely transport data  most modern VPN systems are combined with firewalls in a single device. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
 Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
 solve the problem of direct Internet access to servers through a combination of the following fundamental components: 1. IP encapsulation 2. Cryptographic authentication 3. Data payload encryption Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
 Although cryptographic authentication and data payload encryption may seem like the same thing at first, they are actually entirely different functions  Secure Sockets Layer (SSL) performs datapayload encryption without cryptographic authentication of the remote user,  standard Windows logon performs cryptographic authentication withoutperforming data payload encryption. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
 Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
 An IP packet can contain any kind of information: program files, spreadsheet data, audio streams, or even other IP packets.  When an IP packet contains another IP packet, it is called IP encapsulation, IP over IP, or IP/IP.  Private networks should always use ranges for their internal networking and use Network Address Translation or proxying to access the public Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
 IP encapsulation can make it appear to computers inside the private network that distant networks are actually adjacent— separated from each other by a single router.  But they are actually separated by many Internet routers and gateways that may not even use the same address space because both internal networks are using address translation. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
 The tunnel endpoint—be it a router, firewall, VPN appliance, or a server running a tunneling protocol—will receive the public IP packet, remove the internal packet contained within it, decrypt it (assuming that it’s encrypted—it doesn’t have to be), and then apply its routing rules to send the embedded packet on its way in the internal network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
 used to securely validate the identity of the remote user so the system can determine what level of security is appropriate for that user  In order for two devices from different vendors to be compatible, they must › support the same authentication and payload encryption algorithms and › implement them in the same way. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
 used to obfuscate the contents of the encapsulated data without relying on encapsulating an entire packet within another packet.  In that manner, data payload encryption is exactly like normal IP networking except that the data payload has been encrypted Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
 Obfuscates the data but does not keep header information private, so details of the internal network can be ascertained by analyzing the header information Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
 cheaper than WANs  easier to establish than WANs  slower than LANs  less reliable  Less secure than local LANs and WANs Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
 IPSec tunnel mode  L2TP  PPTP Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
 IETF’s standard suite for secure IP communications that relies on encryption to ensure the authenticity and privacy of IP communications. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
 provides mechanisms that can be used to do the following: › Authenticate individual IP packets and guarantee that they are unmodified. › Encrypt the payload (data) of individual IP packets between two end systems. › Encapsulate a TCP or UDP socket between two end systems (hosts) inside an encrypted IP link (tunnel) established between intermediate systems (routers) to provide virtual private networking. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
 IPSec performs these three functions using three independent mechanisms:  Authenticated Headers (AH) to provide authenticity (Integrity)  Encapsulating Security Payload (ESP) to encrypt the data portion of an IP Packet (Integrity and Confidentiality)  Internet Key Exchange (IKE) for exchanging public keys (Authentication) Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
 Computes checksum of header information of a TCP/IP packet  Encrypts the checksum with the public key of the receiver  Receiver decrypts the checksum with its key  Checks the header against the checksum  If the computed checksum is different- › Decryption failed › Header has been modified Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
 Because NAT changes header information, IPSec AH cannot be reliably passed through a NAT  ESP can still be used to encrypt the payload, but support for ESP without AH varies among implementations of IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
 With Encapsulating Security Payload, the transmitter encrypts the payload of an IP packet using the public key of the receiver.  The receiver then decrypts the payload upon receipt and acts accordingly. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
 In early IPSec systems, public keys for were manually installed via file transfer or by actually typing them in.  each machine’s public key had to be installed on the reciprocal machine.  As the number of security associations a host required increased, the burden of manually keying machines became seriously problematic Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
 Internet Key Exchange (IKE) protocol obviates the necessity to manually key systems.  IKE uses private key security to validate the remote firewall’s authority to create an IPSec connection and to securely exchange public keys.  Once the public keys are exchanged and the encryption protocols are negotiated, a security association is automaticallycreated on both hosts and normal IPSec communications can be established.Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
 Layer 2 Tunneling Protocol (L2TP) is an extension to the Point-to-Point Protocol (PPP)  PPP is the protocol used when you dial into the Internet with a modem  it transfers data from your computer to a remote access server at your ISP  ISP forwards the data on to the Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
 Like PPP, L2TP includes a mechanism for secure authentication using a number of different authentication mechanisms  Unlike pure IPSec tunneling, L2TP can support any interior protocol, including Internetwork Packet Exchange (IPX), AppleTalk and NetBEUI  L2TP packets can also be encrypted using IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
 it can be transported over any Data Link layer protocol (ATM, Ethernet, etc.) or Network layer protocol (IP, IPX, etc.)  L2TP supports the three requisite functions to create a VPN: authentication, encryption, and tunneling Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
 Microsoft and Cisco both recommend it as their primary method for creating VPNs.  It is not yet supported by most firewall vendors, however,  does not transit network address translators well. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
 PPTP was Microsoft’s first attempt at secure remote access for network users  PPTP creates an encrypted PPP session between two TCP/IP hosts.  Unlike L2TP, PPTP operates only over TCP/IP  PPTP does not use IPSec to encrypt packets  it uses a hash of the user’s Windows NT password to create a private key between the client and the remote server Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
 Because of its ubiquity, routing flexibility, and ease of use, it is probably the most common form of VPN Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
 Use a real firewall › Firewalls make ideal VPN endpoints because they can route translated packets between private systems.  Secure the base operating system › No VPN solution provides effective security if the operating system of the machine is not secure Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
 Use packet filtering to reject unknown hosts › You should always use packet filtering to reject connection attempts from every computer except those you’ve specifically set up to connect to your network remotely Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
 Compress before you encrypt › properly encrypted data cannot be compressed. › This means that if you want to use compression, you must compress before you encrypt Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
 Secure remote hosts › Consider the case of a home user with more than one computer who is using a proxy product like WinGate to share their Internet connection and also has a VPN tunnel established over the Internet to your network. › Any hacker on the planet could then proxy through the WinGate server directly into your private network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37

Recommended

Ijarcet vol-2-issue-4-1322-1329
Ijarcet vol-2-issue-4-1322-1329Ijarcet vol-2-issue-4-1322-1329
Ijarcet vol-2-issue-4-1322-1329Editor IJARCET
 
Unit 5
Unit 5Unit 5
Unit 5Vinod Kumar Gorrepati
 
A Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools
A Survey on IPv6 Secure Link Local Communication Models, Techniques and ToolsA Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools
A Survey on IPv6 Secure Link Local Communication Models, Techniques and ToolsIJARIDEA Journal
 
Working Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security PayloadWorking Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security Payloadijtsrd
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Master thesis 14023164
Master thesis 14023164Master thesis 14023164
Master thesis 14023164Thivya Devaraj
 
Research trends review on RSA scheme of asymmetric cryptography techniques
Research trends review on RSA scheme of asymmetric cryptography techniquesResearch trends review on RSA scheme of asymmetric cryptography techniques
Research trends review on RSA scheme of asymmetric cryptography techniquesjournalBEEI
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 

Recommended

Ijarcet vol-2-issue-4-1322-1329
Ijarcet vol-2-issue-4-1322-1329Ijarcet vol-2-issue-4-1322-1329
Ijarcet vol-2-issue-4-1322-1329Editor IJARCET
 
Unit 5
Unit 5Unit 5
Unit 5Vinod Kumar Gorrepati
 
A Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools
A Survey on IPv6 Secure Link Local Communication Models, Techniques and ToolsA Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools
A Survey on IPv6 Secure Link Local Communication Models, Techniques and ToolsIJARIDEA Journal
 
Working Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security PayloadWorking Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security Payloadijtsrd
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Master thesis 14023164
Master thesis 14023164Master thesis 14023164
Master thesis 14023164Thivya Devaraj
 
Research trends review on RSA scheme of asymmetric cryptography techniques
Research trends review on RSA scheme of asymmetric cryptography techniquesResearch trends review on RSA scheme of asymmetric cryptography techniques
Research trends review on RSA scheme of asymmetric cryptography techniquesjournalBEEI
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
Go3611771182
Go3611771182Go3611771182
Go3611771182IJERA Editor
 
Ip sec
Ip secIp sec
Ip secShiva Krishna Chandra Shekar
 
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsMitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsIJAAS Team
 
Ijcatr04051002
Ijcatr04051002Ijcatr04051002
Ijcatr04051002Editor IJCATR
 
Part05 communication security
Part05 communication securityPart05 communication security
Part05 communication securityLê Liêu
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
Insights of vpn
Insights of vpnInsights of vpn
Insights of vpnHarshika Rana
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...AM Publications,India
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
794326
794326794326
794326Vinay Kumar
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkIRJET Journal
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKSDESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKScscpconf
 
AnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
A novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsA novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsijcisjournal
 
IRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET Journal
 
L15 fuzzy logic
L15 fuzzy logicL15 fuzzy logic
L15 fuzzy logicRushdi Shams
 
Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processingRushdi Shams
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineeringRushdi Shams
 

More Related Content

What's hot

Mitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsMitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsIJAAS Team
 
Part05 communication security
Part05 communication securityPart05 communication security
Part05 communication securityLê Liêu
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...AM Publications,India
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkIRJET Journal
 
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKSDESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKScscpconf
 
AnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
A novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsA novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsijcisjournal
 
IRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET Journal
 

What's hot (19)

Go3611771182
Go3611771182Go3611771182
Go3611771182
 
Ip sec
Ip secIp sec
Ip sec
 
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsMitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETs
 
Ijcatr04051002
Ijcatr04051002Ijcatr04051002
Ijcatr04051002
 
Part05 communication security
Part05 communication securityPart05 communication security
Part05 communication security
 
IP Security
IP SecurityIP Security
IP Security
 
Insights of vpn
Insights of vpnInsights of vpn
Insights of vpn
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
 
Ipsec
IpsecIpsec
Ipsec
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
794326
794326794326
794326
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration Networks
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private Network
 
IP Security
IP SecurityIP Security
IP Security
 
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKSDESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
 
AnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdf
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164
 
A novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsA novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systems
 
IRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid Cryptography
 

Viewers also liked

Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processingRushdi Shams
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineeringRushdi Shams
 
Natural Language Processing: Parsing
Natural Language Processing: ParsingNatural Language Processing: Parsing
Natural Language Processing: ParsingRushdi Shams
 
Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)Rushdi Shams
 
Types of machine translation
Types of machine translationTypes of machine translation
Types of machine translationRushdi Shams
 
8 drived horizontal fragmentation
8 drived horizontal fragmentation8 drived horizontal fragmentation
8 drived horizontal fragmentationMohsan Ijaz
 

Viewers also liked (8)

L15 fuzzy logic
L15 fuzzy logicL15 fuzzy logic
L15 fuzzy logic
 
Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processing
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineering
 
L1 phishing
L1 phishingL1 phishing
L1 phishing
 
Natural Language Processing: Parsing
Natural Language Processing: ParsingNatural Language Processing: Parsing
Natural Language Processing: Parsing
 
Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)
 
Types of machine translation
Types of machine translationTypes of machine translation
Types of machine translation
 
8 drived horizontal fragmentation
8 drived horizontal fragmentation8 drived horizontal fragmentation
8 drived horizontal fragmentation
 

Similar to L4 vpn

online-module-guide.pdf
online-module-guide.pdfonline-module-guide.pdf
online-module-guide.pdfssusera1b6c7
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptxkarthikvcyber
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 
Network access layer security protocol
Network access layer security protocolNetwork access layer security protocol
Network access layer security protocolKirti Ahirrao
 
Virtual private network
Virtual private networkVirtual private network
Virtual private networkSOHIL SUNDARAM
 
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET Journal
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3Soon Zoo Kwon
 
Stay Anonymous and Protected.pdf
Stay Anonymous and Protected.pdfStay Anonymous and Protected.pdf
Stay Anonymous and Protected.pdfTEWMAGAZINE
 
Cryptographic tunneling
Cryptographic tunnelingCryptographic tunneling
Cryptographic tunnelingKevin Ndemo
 
cisco-nti-Day20
cisco-nti-Day20cisco-nti-Day20
cisco-nti-Day20eyad alaa
 
VPN presentation
VPN presentationVPN presentation
VPN presentationRiazehri
 

Similar to L4 vpn (20)

Cn36539543
Cn36539543Cn36539543
Cn36539543
 
online-module-guide.pdf
online-module-guide.pdfonline-module-guide.pdf
online-module-guide.pdf
 
V P N
V P NV P N
V P N
 
Lec 9.pptx
Lec 9.pptxLec 9.pptx
Lec 9.pptx
 
Vpn protocols
Vpn protocolsVpn protocols
Vpn protocols
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
Virtual private networks
Virtual private networks Virtual private networks
Virtual private networks
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
Katuwal_Arun_flex_get_vpn.pdf
Katuwal_Arun_flex_get_vpn.pdfKatuwal_Arun_flex_get_vpn.pdf
Katuwal_Arun_flex_get_vpn.pdf
 
Network access layer security protocol
Network access layer security protocolNetwork access layer security protocol
Network access layer security protocol
 
Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography System
 
Virtual private network
Virtual private networkVirtual private network
Virtual private network
 
L3 defense
L3 defenseL3 defense
L3 defense
 
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3
 
Stay Anonymous and Protected.pdf
Stay Anonymous and Protected.pdfStay Anonymous and Protected.pdf
Stay Anonymous and Protected.pdf
 
Cryptographic tunneling
Cryptographic tunnelingCryptographic tunneling
Cryptographic tunneling
 
cisco-nti-Day20
cisco-nti-Day20cisco-nti-Day20
cisco-nti-Day20
 
VPN presentation
VPN presentationVPN presentation
VPN presentation
 
Vpn
VpnVpn
Vpn
 

More from Rushdi Shams

Research Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchResearch Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchRushdi Shams
 
Common evaluation measures in NLP and IR
Common evaluation measures in NLP and IRCommon evaluation measures in NLP and IR
Common evaluation measures in NLP and IRRushdi Shams
 
Machine learning with nlp 101
Machine learning with nlp 101Machine learning with nlp 101
Machine learning with nlp 101Rushdi Shams
 
L1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationL1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationRushdi Shams
 
Syntax and semantics
Syntax and semanticsSyntax and semantics
Syntax and semanticsRushdi Shams
 
Propositional logic
Propositional logicPropositional logic
Propositional logicRushdi Shams
 
Probabilistic logic
Probabilistic logicProbabilistic logic
Probabilistic logicRushdi Shams
 
Knowledge structure
Knowledge structureKnowledge structure
Knowledge structureRushdi Shams
 
Knowledge representation
Knowledge representationKnowledge representation
Knowledge representationRushdi Shams
 
L5 understanding hacking
L5 understanding hackingL5 understanding hacking
L5 understanding hackingRushdi Shams
 
L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)Rushdi Shams
 
L2 l3 l4 software process models
L2 l3 l4 software process modelsL2 l3 l4 software process models
L2 l3 l4 software process modelsRushdi Shams
 
L13 why software fails
L13 why software failsL13 why software fails
L13 why software failsRushdi Shams
 
Lecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsLecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsRushdi Shams
 
Lecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocksLecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocksRushdi Shams
 
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating SystemsLecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating SystemsRushdi Shams
 
Lecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu schedulingLecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu schedulingRushdi Shams
 
Lecture 1 and 2 processes
Lecture 1 and 2 processesLecture 1 and 2 processes
Lecture 1 and 2 processesRushdi Shams
 

More from Rushdi Shams (20)

Research Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchResearch Methodology and Tips on Better Research
Research Methodology and Tips on Better Research
 
Common evaluation measures in NLP and IR
Common evaluation measures in NLP and IRCommon evaluation measures in NLP and IR
Common evaluation measures in NLP and IR
 
Machine learning with nlp 101
Machine learning with nlp 101Machine learning with nlp 101
Machine learning with nlp 101
 
L1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationL1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translation
 
Syntax and semantics
Syntax and semanticsSyntax and semantics
Syntax and semantics
 
Propositional logic
Propositional logicPropositional logic
Propositional logic
 
Probabilistic logic
Probabilistic logicProbabilistic logic
Probabilistic logic
 
Knowledge structure
Knowledge structureKnowledge structure
Knowledge structure
 
Knowledge representation
Knowledge representationKnowledge representation
Knowledge representation
 
First order logic
First order logicFirst order logic
First order logic
 
Belief function
Belief functionBelief function
Belief function
 
L5 understanding hacking
L5 understanding hackingL5 understanding hacking
L5 understanding hacking
 
L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)
 
L2 l3 l4 software process models
L2 l3 l4 software process modelsL2 l3 l4 software process models
L2 l3 l4 software process models
 
L13 why software fails
L13 why software failsL13 why software fails
L13 why software fails
 
Lecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsLecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systems
 
Lecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocksLecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocks
 
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating SystemsLecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
 
Lecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu schedulingLecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu scheduling
 
Lecture 1 and 2 processes
Lecture 1 and 2 processesLecture 1 and 2 processes
Lecture 1 and 2 processes
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfalexjohnson7307
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Product School
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Product School
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 

L4 vpn

  • 1. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
  • 2.  Provides secure remote access to individuals and businesses outside your network.  They use the Internet to route LAN traffic from one private network to another  The packets are unreadable by intermediary Internet computers because they are encrypted and they can encapsulate (or carry) any kind of LAN communications Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
  • 3.  VPN systems do not protect your network—they merely transport data  most modern VPN systems are combined with firewalls in a single device. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
  • 4. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
  • 5. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
  • 6.  Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
  • 7. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
  • 8.  solve the problem of direct Internet access to servers through a combination of the following fundamental components: 1. IP encapsulation 2. Cryptographic authentication 3. Data payload encryption Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
  • 9.  Although cryptographic authentication and data payload encryption may seem like the same thing at first, they are actually entirely different functions  Secure Sockets Layer (SSL) performs datapayload encryption without cryptographic authentication of the remote user,  standard Windows logon performs cryptographic authentication withoutperforming data payload encryption. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
  • 10.  Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
  • 11.  An IP packet can contain any kind of information: program files, spreadsheet data, audio streams, or even other IP packets.  When an IP packet contains another IP packet, it is called IP encapsulation, IP over IP, or IP/IP.  Private networks should always use ranges for their internal networking and use Network Address Translation or proxying to access the public Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
  • 12.  IP encapsulation can make it appear to computers inside the private network that distant networks are actually adjacent— separated from each other by a single router.  But they are actually separated by many Internet routers and gateways that may not even use the same address space because both internal networks are using address translation. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
  • 13. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
  • 14.  The tunnel endpoint—be it a router, firewall, VPN appliance, or a server running a tunneling protocol—will receive the public IP packet, remove the internal packet contained within it, decrypt it (assuming that it’s encrypted—it doesn’t have to be), and then apply its routing rules to send the embedded packet on its way in the internal network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
  • 15.  used to securely validate the identity of the remote user so the system can determine what level of security is appropriate for that user  In order for two devices from different vendors to be compatible, they must › support the same authentication and payload encryption algorithms and › implement them in the same way. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
  • 16.  used to obfuscate the contents of the encapsulated data without relying on encapsulating an entire packet within another packet.  In that manner, data payload encryption is exactly like normal IP networking except that the data payload has been encrypted Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
  • 17.  Obfuscates the data but does not keep header information private, so details of the internal network can be ascertained by analyzing the header information Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
  • 18.  cheaper than WANs  easier to establish than WANs  slower than LANs  less reliable  Less secure than local LANs and WANs Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
  • 19.  IPSec tunnel mode  L2TP  PPTP Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
  • 20.  IETF’s standard suite for secure IP communications that relies on encryption to ensure the authenticity and privacy of IP communications. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
  • 21.  provides mechanisms that can be used to do the following: › Authenticate individual IP packets and guarantee that they are unmodified. › Encrypt the payload (data) of individual IP packets between two end systems. › Encapsulate a TCP or UDP socket between two end systems (hosts) inside an encrypted IP link (tunnel) established between intermediate systems (routers) to provide virtual private networking. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
  • 22.  IPSec performs these three functions using three independent mechanisms:  Authenticated Headers (AH) to provide authenticity (Integrity)  Encapsulating Security Payload (ESP) to encrypt the data portion of an IP Packet (Integrity and Confidentiality)  Internet Key Exchange (IKE) for exchanging public keys (Authentication) Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
  • 23.  Computes checksum of header information of a TCP/IP packet  Encrypts the checksum with the public key of the receiver  Receiver decrypts the checksum with its key  Checks the header against the checksum  If the computed checksum is different- › Decryption failed › Header has been modified Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
  • 24.  Because NAT changes header information, IPSec AH cannot be reliably passed through a NAT  ESP can still be used to encrypt the payload, but support for ESP without AH varies among implementations of IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
  • 25.  With Encapsulating Security Payload, the transmitter encrypts the payload of an IP packet using the public key of the receiver.  The receiver then decrypts the payload upon receipt and acts accordingly. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
  • 26.  In early IPSec systems, public keys for were manually installed via file transfer or by actually typing them in.  each machine’s public key had to be installed on the reciprocal machine.  As the number of security associations a host required increased, the burden of manually keying machines became seriously problematic Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
  • 27.  Internet Key Exchange (IKE) protocol obviates the necessity to manually key systems.  IKE uses private key security to validate the remote firewall’s authority to create an IPSec connection and to securely exchange public keys.  Once the public keys are exchanged and the encryption protocols are negotiated, a security association is automaticallycreated on both hosts and normal IPSec communications can be established.Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
  • 28.  Layer 2 Tunneling Protocol (L2TP) is an extension to the Point-to-Point Protocol (PPP)  PPP is the protocol used when you dial into the Internet with a modem  it transfers data from your computer to a remote access server at your ISP  ISP forwards the data on to the Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
  • 29.  Like PPP, L2TP includes a mechanism for secure authentication using a number of different authentication mechanisms  Unlike pure IPSec tunneling, L2TP can support any interior protocol, including Internetwork Packet Exchange (IPX), AppleTalk and NetBEUI  L2TP packets can also be encrypted using IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
  • 30.  it can be transported over any Data Link layer protocol (ATM, Ethernet, etc.) or Network layer protocol (IP, IPX, etc.)  L2TP supports the three requisite functions to create a VPN: authentication, encryption, and tunneling Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
  • 31.  Microsoft and Cisco both recommend it as their primary method for creating VPNs.  It is not yet supported by most firewall vendors, however,  does not transit network address translators well. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
  • 32.  PPTP was Microsoft’s first attempt at secure remote access for network users  PPTP creates an encrypted PPP session between two TCP/IP hosts.  Unlike L2TP, PPTP operates only over TCP/IP  PPTP does not use IPSec to encrypt packets  it uses a hash of the user’s Windows NT password to create a private key between the client and the remote server Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
  • 33.  Because of its ubiquity, routing flexibility, and ease of use, it is probably the most common form of VPN Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
  • 34.  Use a real firewall › Firewalls make ideal VPN endpoints because they can route translated packets between private systems.  Secure the base operating system › No VPN solution provides effective security if the operating system of the machine is not secure Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
  • 35.  Use packet filtering to reject unknown hosts › You should always use packet filtering to reject connection attempts from every computer except those you’ve specifically set up to connect to your network remotely Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
  • 36.  Compress before you encrypt › properly encrypted data cannot be compressed. › This means that if you want to use compression, you must compress before you encrypt Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
  • 37.  Secure remote hosts › Consider the case of a home user with more than one computer who is using a proxy product like WinGate to share their Internet connection and also has a VPN tunnel established over the Internet to your network. › Any hacker on the planet could then proxy through the WinGate server directly into your private network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37